Configuring the VyOS VPN Instance on GCP
To configure the VyOS VPN Instance on GCP:
As part of the PoC script that is run, the VM instance of a Velostrata VYOS VPN Gateway is created with its Serial console option enabled.
Also, The Velostrata VYOS VPN Gateway in GCP is assigned with FW Tag - 'fw-vpn', allowing inbound connectivity for the OpenVPN tunnel using port UDP/1194, as well as to allow SSH to the private IP address from the source on-premises environment (the outbound public IP configured during the deployment script execution).
- Open the google cloud console, and locate the velosvpngateway instance.
- Connect to the VM serial console - under "remote access" click "connect to serial console". use the following credentials:
User: vyos, Password: vyos
- Change the Velos VPN Gateway default password by entering the following command:
conf set system login user vyos authentication plaintext-password ‘password’ commit save exit
- Delete all existing route table entries
- To view current route table entries, enter the following command, and document the VM's default gateway IP:
sudo ip route show
- Delete all existing route table entries:
sudo ip route delete xxx.xxx.xxx.xxx sudo ip route delete 127.0.0.0/8
Using the nano editor and using the sudo - edit the config file 'vyatta-postconfig-bootup.script' placed under /opt/vyatta/etc/config/scripts/
sudo nano -w /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
Add the following lines to it (replace defaultGatewayIp with the public subnet gateway IP for the VPC, for example 10.10.1.1):
ip route add 'defaultGatewayIp' dev eth0 ip route append default via 'defaultGatewayIp'
save by clicking Ctrl+X -> Save -> Exit
- Upgrade the VyOS image using the following command, Accept all defaults and when finished - Reboot.
add system image https://downloads.vyos.io/release/1.1.8/vyos-1.1.8-i586.iso
9. Change MTU value for eth0.
config set interfaces ethernet eth0 mtu 1460 commit save exit
- Next, we will need to copy the shared secret key file obtained previously from the VyOS virtual appliance on-prem to the velosvpngw appliance.
replace the VyosNewPass with the new password you have configured for the cloud appliance and the IP of the appliance
pscp -pw VyosNewPass secret firstname.lastname@example.org:/config/auth
11. Using PuTTY or the Serial console, connect to the VyOS instance on GCP to proceed with its configuration.
12. Configure source based NAT for the private subnet network. The VyOS instance will function as a NAT gateway, enabling private subnet instances to access the Internet.
config set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 translation address masquerade
- Setup the VPN tunnel using OpenVPN.
set interfaces openvpn vtun0 local-address 172.16.100.1 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 protocol udp set interfaces openvpn vtun0 openvpn-option --comp-lzo set interfaces openvpn vtun0 keep-alive interval 10 set interfaces openvpn vtun0 keep-alive failure-count 5 set interfaces openvpn vtun0 remote-address 172.16.100.2 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
- Set a static route to direct workloads traffic from the private subnet to the corporate network. replace the 192.168.10.0/24 below with the on-premises network subnet
set protocols static route 192.168.10.0/24 next-hop 172.16.100.2
- Commit and save the configuration.
commit save exit
- Verify that the VPN tunnel has been established.
show openvpn site-to-site status ping 172.16.100.2